Our ePO 5.1 (RSD 220.127.116.11) generally works well, but it seems that the RSD agents keeps "re-discovering" managed systems. This leads to HIPS triggering TCP port scan alerts and producing lots of events.
Is there a way to stop RSD from portscanning managed systems?
I don't want to stop RSD from port scanning in general as that certainly has its uses. I'd just like RSD to not portscan known managed systems.....Message was edited by: mvm_101 on 3/18/14 2:23:17 PM CDT
You can only "except" systems marked as exceptions.
If you don't have too many sensors, you can add the sensor IP in the trusted network policy for HIPS or you can disable the port scanning rule in HIPS (rule 3700/3701). I'm not sure if it is still the case but those rules couldn't be disabled, so if you want to do that and if it is still the case that they can't be disabled you can reduce the level of the rule to "informational" instead of "high" or "medium"
I have filed a PER to either make RSD not port scan managed nodes, or make it such that RSD can automatically configure host IPS to not trigger alerts for th eport scanning traffic RSD creates.